‘Immunity’ Develops Exploit, Allows Compromising Host OS

Immunity the company for penetration-testing has demonstrated how through the exploitation of a security vulnerability within VMware software, it is possible to compromise the operating system of a virtual computer on which malicious code is executed.

Reportedly, Immunity added exploit called Cloudburst to an updated version of its Canvas 6.47 a commercial device for penetration-testing, released on 2nd June 2009. The developer of this exploit is Kostya Kortchinsky a researcher at Immunity. DarkReading reported this on June 4, 2009.

State security specialists that Cloudburst looks for security flaw in VMware platform of virtual machine that could be abused through a malicious video file. When this specially crafted video file is executed on a virtual computer, it allows the intruder to compromise the host machine's OS.

Further, the flaw itself makes an impact on VMware Workstation 6.5.1 and previous versions, or related Player editions. Although the software could be on Linux or other host systems, yet there are certain limitations for the Cloudburst attack code, Kortchinsky said. According to him, the exploit is confined to the mentioned versions with the additional limitation that both the host and guest systems must be Windows-based.

Meanwhile, the flaw that is designated the CVE (Common Vulnerabilities and Exploits) reference CVE-2009-1244, was revealed during January 2009, while VMware patched it during April same year. However, according to Immunity, since system administrators often fail to update their systems with patches, they could be susceptible to the assault.

The security company further stated that since the flaw works with already shipped VMware configurations, it is extremely dangerous. Security firm Secunia rated the bug as "highly critical."

Elucidating on the attack code, director Nick Selby of The 451 Group's enterprise security practice said that administrators are prone to believe that it isn't possible to exit from a VM, reports DarkReading. Selby added that many regard the attack code as a proof-of-exploit whereas it is actually a saleable exploit.

Meanwhile two similar flaws were discovered in 2007 comprising a memory corruption flaw (CVE-2007-4496) and a Shared Folders execution flaw (CVE-2007-1744) with which an attacker could view or rewrite folders on a vulnerable system.

Related article: “Loopholes did not cause online banking thefts”: ICBC

» SPAMfighter News - 6/17/2009